From: Jon Maloy <jon.ma...@ericsson.com> Date: Wed, 17 Jan 2018 16:42:46 +0100
> Letting tipc_poll() dereference a socket's pointer to struct tipc_group > entails a race risk, as the group item may be deleted in a concurrent > tipc_sk_join() or tipc_sk_leave() thread. > > We now move the 'open' flag in struct tipc_group to struct tipc_sock, > and let the former retain only a pointer to the moved field. This will > eliminate the race risk. > > Reported-by: syzbot+799dafde028679585...@syzkaller.appspotmail.com > Signed-off-by: Jon Maloy <jon.ma...@ericsson.com> Applied, thanks Jon.
